Categories
MacAdmin

From MCX to DDM: The End of User-Level MDM

Why User-Level MDM on macOS Doesn’t Work Well in Modern Mac Management

If you’ve ever wondered why user-level MDM for macOS feels clunky—or worse, completely irrelevant—in today’s Mac management world, the answer lies deep in the history of how macOS used to handle users, groups, and computers.

The Roots: Open Directory and MCX

Back in the day, macOS management revolved around Open Directory (OD). OD managed objects like users, groups, and computers, along with their apps and settings. The underlying engine for applying those settings was MCX (Managed Client for OS X). If you were around then, you probably remember Workgroup Manager—the GUI tool that made OD administration bearable. It was essentially the visual representation of this entire system.

See for yourself: https://www.apple.com/server/docs/Workgroup_Manager_TB_v10.4.pdf

In that world:

  • Computer-level policy applied at startup and at regular intervals.
  • User-level policy applied at login.

Sound familiar? It should—because when Apple introduced MDM, they didn’t reinvent the wheel. They ported much of this logic from OD to MDM, keeping MCX as the underlying mechanism for applying settings.

From Line-of-Sight to Over-the-Air

OD was a line-of-sight system, similar to how Group Policy works for domain-joined Windows devices in Active Directory. MDM flipped that model on its head, moving to over-the-air management via an MDM server.

Profiles installed at the system level became the equivalent of computer objects in OD. Profiles installed at the user level mirrored user objects in OD.

Here’s the catch: in Workgroup Manager, user objects only applied to OD/LDAP users logging in, not local accounts. When Apple brought this concept into MDM, they assumed a similar relationship—AD/OD/LDAP mobile accounts fetching user-level profiles from MDM, just like OD accounts fetching MCX.

The Bridge That Broke

To make this work for local accounts, Apple built a “bridge.” The idea was simple: tie user-level profiles to the primary local user account on an MDM-managed device. That link was established during enrollment—either by the logged-in user at the time or later via Automated Device Enrollment (ADE) designating the MDM-enabled user.

Fast-forward to today:

  • AD binding and mobile accounts? Dead.
  • Local accounts linked to cloud identity? The new normal.

And that’s where the wheels fall off. User-level MDM on macOS is rigid, confusing, and often more trouble than it’s worth. It’s a relic of a world that no longer exists.

Enter DDM: The Future

With Declarative Device Management (DDM) now taking center stage as “the way forward,” don’t expect Apple to give user-level MDM any love. That code is legacy, and it’s staying that way.

As noted in a recent conversation on the MacAdmins Slack, user channel configurations ARE alive, in DDM, but appear to have the same limitations.

Another example is that Apple made the choice invest in user-level MDM with Apple Classroom for macOS as well, but again, bound by the same limitations.

What’s Next For Admins?

If you’re managing Macs heading into 2026, here’s what you should do instead of relying on user-level MDM on macOS:

  1. Simplify Policy Design
    Instead of complex user-level policies, design device-based configurations that meet most use cases. For exceptions, consider app-level controls or conditional access.
  2. Integrate Cloud Identity
    Use identity providers like Azure AD, Okta, or Google Workspace for authentication and access control. See:

    How to Hold macOS User Identity in 2025
  3. Leverage Declarative Device Management (DDM)
    Start adopting device level DDM features now. They’re designed for modern identity models and will eventually replace traditional MDM workflows. Test user-level DDM with caution and ensure it doesnt fall into the same age old trap.

Why Make This Post?

The reason user-level MDM has come up a lot in conversations for me as of late, is its USEFULNESS. Example:

“I want to deploy a unique configuration [like a certificate] to EACH user, when they login”

The Real Problem: user channel is best suited to when multiple users may sign into a Mac. The way today we sign multiple users into a Mac doesn’t support user-channel MDM for EVERY user.

To understand its origin, is to understand its purpose, and better have empathy for why its doesnt do what you would expect.

Bottom line: Stop fighting Apple’s tech debt. Embrace system-level management (MDM and DDM) – it’s the future (for now 😉) of macOS device management.

By Aaron

Aaron David Polley is a Canadian-born Musician and MacAdmin based in the Sunshine Coast, Queensland, Australia.

He grew up in a musical family that had a long history of accomplished musicians and songwriters. His own writing ability surfaced at the age of 7 when his first musical arrangement was used in a church service as a congregational song.

As an IT professional of 20+ years, most of his time is now leading 20+ staff at work and a family of 5 at home.